CVE-2026-1035: Keycloak does not validate and update refresh token usage atomically

January 21, 2026

A flaw was found in the Keycloak server during refresh token processing, specifically in the TokenManager class responsible for enforcing refresh token reuse policies. When strict refresh token rotation is enabled, the validation and update of refresh token usage are not performed atomically. This allows concurrent refresh requests to bypass single-use enforcement and issue multiple access tokens from the same refresh token. As a result, Keycloak’s refresh token rotation hardening can be undermined.

References

access.redhat.com/security/cve/CVE-2026-1035
bugzilla.redhat.com/show_bug.cgi?id=2430314
github.com/advisories/GHSA-m2w5-7xhv-w6fh
github.com/keycloak/keycloak
github.com/keycloak/keycloak/issues/45647
nvd.nist.gov/vuln/detail/CVE-2026-1035

Code Behaviors & Features

Detect and mitigate CVE-2026-1035 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →